XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Blocker
Fix Version/s: ACM 2.14.0
Affects Version/s: None
Component/s: Container Native Virtualization
Labels:
- RBAC
- TP
- Train-27
- acmrbac
- cnv
- cnv214
- cross-squad
- doc-ack
- doc-required
- tech-preview
- vbcrit

Epic Name:
ACM Fine Grained RBAC TECH-Preview
Activity Type:
Product / Portfolio Work
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Color Status:
Green
Epic Status:
Done
Feature Link:
VIRTSTRAT-51 - Enable fine-grained RBAC support in ACM for Virt use cases
Parent Link:
VIRTSTRAT-51Enable fine-grained RBAC support in ACM for Virt use cases
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

PX Impact Score:

Intelligence Requested:
Market:

Epic Goal

Skip first base and ... got direct to TECH-Preview of fine-grained RBAC based on discussion the last months see DDR for fine-grained-rbac

This work is mainly for integration with OpenShift Virtualization

Why is this important?

The Virtual Machine view, needs to be able to filter Virtual Machines based on namespaces that a given user is granted access to at the ACM hub level.

Scenarios

As a virtual machine user, I should see the virtual machines that are in the projects I have been granted access too. Access to projects for users or groups is done view ClusterPermission resources in the development preview.

Acceptance Criteria

If user1 has kubevirt.io:* on the project foo ONLY, they should NOT see virtual machines from namespace bar.

Dependencies (internal and external)

Aggregate API Server ~~ACM-18470~~
RFE - ClusterPermissions to allow JUST the creation of RoleBiniding and ClusterRoleBinding ACM-18969

Previous Work (Optional):

ClusterPermissions CRD & Controller
[Kessel POC that can create a ClusterPermission|Management Fabric - ACM / CNV PoC - Google Docs]

Open questions:

Can we move the kessel flag forward in parallel
Where do we converge kessel

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
Issue>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Figure out where and how we document that this affects ClusterPermissions and search results.
Considerations were made for Extended Update Support (EUS)

account is impacted by

ACM-17982 Design: ACM CNV Integration Enhancements (console focus)

Closed

depends on

ACM-17855 Search API queries RBAC API for Virtual Machine authorization

Closed

ACM-19141 How does RBAC UI get users and groups as defined in IdP

Closed

is blocked by

ACM-15712 ACM CNV Implement impersonation for VM related actions

Closed

ACM-19547 Providing an aggregated API to list kubevirt projects based on ClusterPermission

Closed

ACM-18470 Providing an aggregated API to list kubevirt projects based on user provided ClusterPermission

Closed

is duplicated by

ACM-17231 ACM Implement outcome of CNV-54365 for search - Confirm VM stop / restart / pause actions

Closed

is related to

ACM-16128 Apply single Cluster Gitops-RBAC for MultiCluster

RFE-6826 Granular RBAC for ACM's application lifecycle to support developer end-users leveraging logins at the ACM hub for their app-health needs

Refinement

(1 is blocked by, 1 is duplicated by, 2 is related to)

Assignee:: Joydeep Banerjee

Reporter:: Christian Stark

Manager:: Eveline Cai

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2025/02/18 2:27 PM

Updated:: 2025/09/16 1:27 PM

Resolved:: 2025/07/25 5:56 PM

Details

Description

Epic Goal

Why is this important?

Scenarios

Acceptance Criteria

Dependencies (internal and external)

Previous Work (Optional):

Open questions:

Done Checklist

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates